The insurer which spam emails its own staff

The country’s largest insurer is sending fake phishing emails to its own staff to test them on their ability to identify scams. Its 3500 staff are sent a phishing email once a month and those who click on links are then sent an instant reminder to undertake cyber security training.

“We started with something quite simple.”

Not many people fell for the first one but a more elaborate second scam got more clicks. “I’m not too keen to let people know how many people clicked on the phishing email. The number to start with was really low. The more important part was that it raised awareness across all staff not just about phishing emails but security.” It also prompted more people to click on its internal cyber security warning button which automatically sends a notice to its cyber defence centre.

Corporates were also sharing scam warnings with each other, putting aside their competitive differences. “We do talk to each other. It is the good guys versus the bad.”

How to protect yourself

Cyber security expert Mark Knowles said the most important way for individuals to protect against cyber attacks was password control.

Knowles said a big mistake was using the word Password as your password. While capping up the p and changing the a for an @ symbol might seem clever, that was not enough to provide protection. Knowles said people should not tell anyone their password and try using passwords that were more complex than pet names suggesting they could relate to a favourite song or an event that happened that day.

At the other end of the scale random letter and number passwords were also not helpful if people ended up writing them down on a post-it note or piece of paper. “I think the thing with cyber security is getting your basics right.” Knowles said people should have a secure password and change it regularly.

The other big no-no was putting too much trust in people met online. “People you have met online are not as trustworthy as people you have met in person.”

“We are all busy but take a few extra seconds to read the email.” He said usually the grammar was poor, although more sophisticated email scams were getting better at this. Scrolling over the link without clicking on it often gave a clue that the email was a phishing scam as it would come up with words or a phrase that seemed suspicious.

Knowles said those who were targeted by phishing scams should report it either to CertNZ or Netsafe.

Top ways to protect your business

• Restrict privileged access users – those people who are allowed to make changes to the computer systems

• Patching is really important

• White-listing names of all the websites staff can go to and restrict people from using sites outside of those.